WikiLeaks: Is Cloud the Solution?

As the WikiLeaks controversy brews, corporate ethics, privacy and the rights of whistleblowers are hot topics of debate. But what about security?

An access governance system might have prevented Army Pfc. Bradley Manning from allegedly downloading cables and sending the classified information to WikiLeaks. Though Manning had security clearance -- his job was to route intelligence reports to superiors -- he did not necessarily have authorization to access and download State Department reports.

Measures could have been taken to guard against the breach Manning has been accused of, but could the same measures be realistically deployed in other environments -- such as a bank, a hospital or a corporation? Not really, says Andy Greenawalt, the CEO and founder of Continuity Control, a New Haven, Conn.-based provider of Web-based software. "The core challenge here, with Microsoft Word and Excel or whatever the data formats are, when trying to secure these things, you're really trying to do the impossible," he says. "Every time you send any of these files, a copy is made."

In a large organization such as Bank of America ($2.36 trillion in assets), which WikiLeaks founder Julian Assange has suggested could be the next WikiLeaks leak target, thousands of internal Microsoft documents are saved and sent via e-mail a hundreds times over during the course of a few days, Greenawalt says. "Every time a file is sent, it's replicated thousands and thousands of times. Companies can try to protect and encrypt that information; but the reality is that something is going to go wrong, because there is always a copy somewhere," he says.

Greenawalt calls it "a tell-tale sign" of the so-called PC era's ending -- an era that been complicated by the emergence of mobility. Files are transmitted and received more now than ever before via handheld mobile devices, which makes implementing security safeguards and controls even more challenging. Thus, the future of secure file access and transmission can only exist in the cloud, Greenawalt argues. Computing in the cloud puts everything in one place, and access to information can be limited by privileges granted only to select employees. The cloud eliminates the need to store information on a hard drive or to a thumb drive, which also limits chances for leaks, he says.

"The need for human access proves the PC era is broken. The sooner we move on, the more secure we will all be," Greenawalt says. "By putting traffic in the cloud, you make the security and access equation fundamentally more solvable. It helps to keep you from missing a gap."

He says banks are buying into that cloud concept. In fact, many are even using Google Documents for shared access, rather than relying on traditional sent-and-received correspondence that can easily be traced and intercepted.

The cloud could prevent some insider threats, since today's current environment has made it all too easy for employees to grab sensitive information, says Julie McNelley, a senior fraud analyst at Aite Group LLC. "It's the little things that lead to most internal compromises, like walking away from your desk and not locking your screen," she says. "A lot of that kind of thing slips through the cracks."

But locking the screen or PC won't help in all cases, as Greenawalt points out. "It would be very easy for an IT guy to swap out a hard-drive and just take it," he says. "It's not difficult to overcome the security practices that are in place."

Internal fraud is still one of the biggest issues in financial services, McNelley says, especially since the embezzlement of funds and the compromise of consumer financial information is so tempting. Financial institutions have put controls in place to protect information that might compromise customer accounts and ultimately lead to identity theft. But when it comes to securing their own internal information, protection has not been a priority.

Privacy expert and attorney Kirk Nahra says most chief security information officers focus on outside threats -- cyber attacks, socially engineered breaches like phishing and vishing, and the interception of transaction data. As the WikiLeaks State Department leak proves, "Internal threats are just as significant," Nahra says. "What is coming in here is corporate privacy. Twenty years ago we had a focus on trade secrets and the need for privacy in the business environment; today, we have a focus on personal privacy."

More Corporate Privacy?

Nahra says corporations and the courts have forgotten about risks businesses face when it comes to their own information vulnerabilities. "There are legal reasons why an employee cannot leak information about an individual, but we have a lot of sympathy for whistleblowers." Besides, as WikiLeaks proves, once the information is out there, there's little an entity can do to combat the public relations backlash.

"What this shows is that we have all kinds of controls, but they don't work very well," Nahra says. Controls can be improved. While it might not be easy to limit the information employees must access, it is relatively easy to monitor that access -- keeping an eye on what information and files are being viewed, by whom and how often, Nahra says.

"I think it's all a question of how much infrastructure you're going to build," he says. "Are they real-time controls, or are these controls you have in place to detect a breach after something happens? There is a real difference there."

About the Author

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as the Executive Editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;